Archive for April, 2018

This blog is part of a series of technical blogs leading up to the release of openSUSE Leap 15. All of the blogs provide a use case regarding openSUSE Leap and the packages available in the distribution. Happy reading.

Authored by Peter Czanik

People often ask me what to use: systemd’s journald or syslog-ng? The quick answer is that most likely both, but it depends on how you use your computer(s). If you have a single standalone machine, journald is probably enough. There is even a nice desktop application to view the logs in the journal. But once you have multiple machines to manage, using syslog-ng has many advantages.

Even if you use syslog-ng, local system logs are collected by journald. It is an integral part of systemd and cannot be uninstalled. Luckily, syslog-ng can read log messages from the journal. If journald stores additional name-value pairs about an event, syslog-ng can read those as well.

So, why install syslog-ng? The short answer is: central logging.

Why is the central collection of logs such a big deal? One reason is ease of use, as central logging creates a single place to check logs instead of tens or thousands of devices. Another reason is availability – you can check a device’s log messages even if the device itself is unavailable for any reason. A third reason is security; when your device is hacked, checking the logs can uncover traces of the hack.

journald also has some central logging capabilities, but syslog-ng provides a lot more features and better performance:

journald was originally designed for local logs on desktops – where there are not that many logs. On the other hand, syslog-ng was designed for high-performance central log collection from the ground up.

syslog-ng can collect logs from many more sources, including pipes, sockets, and files. File sources are especially important, as many applications – like web servers – log to files and do that at a rate that journald cannot handle.

syslog-ng does more than simple log storage. It can process log messages in many ways: parse them to create name-value pairs for easier alerting and reporting, enrich them with geographical information (GeoIP), rewrite them for anonymization (see PCI-DSS or GDPR), or reformat them according to the requirements of the destination.

Filtering in syslog-ng makes very precise log routing possible, ensuring that all logs reach the right destination.

Speaking of destinations: there are many possibilities for storing log messages, not just flat files or other syslog servers as it was the case many years ago. For example, you can store logs in SQL databases, send logs to Splunk for further analysis using HTTP, store name-value pairs parsed from logs in MongoDB, or send an email alert using the SMTP destination.

RADV received several fixes in snapshot 20180424 with the update to Mesa 18.0.1. Mesa core also had some patches to fix issues around overriding the OpenGL/ES supported version through environment variables, and a patch to fix an issue with texture samples found in “The Witness” through Wine. An updated description for the SSLProtocol option was made available with the apache2 2.4.33 package and apparmor 2.13 delivered a change of the (writeable) cache directory to /var/cache/apparmor/ with the new btrfs layout. The reason for using /var/lib/apparmor/cache/, which was “it’s part of the / subvolume”, is gone, and /var/cache makes more sense for the cache, according to the changelog. The cleanup process and behavior are a lot better with the update of ccache 3.4.2. Backup tool deja-dup 38.0 was a major update and exclude snap cache directories by default. GTK has a new ‘Widgetbowl‘ demo and the wayland backend now supports the stable xdg-shell protocol in gtk3 3.22.30. Linux Kernel 4.16.3 arrived in the snapshot and the GL Vendor-Neutral Dispatch library, libglvnd, was bumped to major version 1.0.0 thanks to EGL and GLX interfaces being defined and stable. The Tumbleweed rating tool is currently treading the snapshot as stable with an 88 rating.

The Travel Support Program (TSP) provides travel sponsorships to openSUSE community who want to attend the openSUSE conference and need financial assistance. The openSUSE conference 2018 will be in Prague, Czech Republic from May 25 to May 27.

The goal of the TSP is to help everybody in and around openSUSE to be able to attend the openSUSE Conference!

When and how

Requests for the TSP for this year’s openSUSE Conference have until April 29 to submit their request.

You will need an openSUSE Connect account in order to login to the application and apply for sponsorship. Please be sure to fulfill all of your personal details at openSUSE connect account to avoid delays or negative request. A good application with good information will be processed faster.

There have been a few openSUSETumbleweed snapshots released in the past two weeks that brought some new features and fixes to users.

This blog will go over the past two snapshots.

The last snapshot, 20180416, had several packages updated. The adobe-sourceserifpro-fonts package updated to version 2.000; with the change, the fonts were refined to make the Semibold and Bold heavier. Both dbus-1 and dbus-1-x11 were updated to 1.12.6, which fixed some regreations introduced in version 1.10.18 and 1.11.0. The gtk-vnc 0.7.2 package deprecated the manual python2 binding, which will be deleted in the next release, in favor of GObject introspection. Notifications that caused a crash were fixed in kdeconnect-kde 1.3.0. The 4.16.2 Linux Kernel made ip_tunnel, ipv6, ip6_gre, ip6_tunnel and vti6 better to validate user provided tunnel names. Due to a build system failure, not all 4.16.2 binaries were built correctly; this will be resolved in the 20180417 snapshot, which will be released shortly. Krita 4.0.1 had multiple fixes from its major version upgrade. The visual diff and merge tool meld 3.19.0 added new features like a new per-pane status bar with selectors for syntax highlighting and text encoding. Python Imaging Library python-Pillow 5.1.0 removed the freetype-2.9.patch and YaST had several packages with a version bump.

The Tumbleweed rating tool is currently trending the past few snapshots as unstable, but the last snapshots rating is posting a false negative due to comments made on the openSUSE Factory Mailing thread about the 4.16.2 Linux Kernel.

Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).

As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.

This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.

Just to give you a small number of services which will be affected, maybe you use one of the following list:

(This is a mixed list of services maintained by openSUSE Heroes and/or several SUSE teams for the openSUSE community – the certificate exchange will affect those services.)

build.opensuse.org

api.opensuse.org

openqa.opensuse.org

static.opensuse.org

ci.opensuse.org

svn.opensuse.org

software.opensuse.org

$LANG.opensuse.org for the several wiki instances

download.opensuse.org

keyserver.opensuse.org

…and many, many more :) – thanks to everybody in the openSUSE Heroes team for maintaining the zoo of services ;)

Thanks to the FLOSS & openSUSE community, we have full support of Let’s Encrypt certificates already on board our distribution.

As there are so many options to choose, we decided for the following tool to use Let’s Encrypt certificates:

dehydrated – as client with ACME v2 support – https://software.opensuse.org/package/dehydrated

with custom hook scripts, that will provide the wildcard-certificates to our proxy-infrastructure

Thanks to everybody involved in this task for getting the migration done.

Fun fact, as you might have noticed before, news.opensuse.org is not part of the openSUSE Heroes infrastructure (yet) and already got a new certificate from DigiCert.

The release of openSUSE Leap 15 is scheduled to be release during the first day of this year’s openSUSE Conference in Prague, Czech Republic on May 25.

The package submission deadline for non-bug fix package updates is April 24 as Leap enters the release candidate phase. The scheduled release for Leap 15 is May 25 at 12:00 UTC.

Leap has been using a rolling development model for building Leap 15 beta versions. Bug fixes and new packages have been released via snapshots to users testing the beta versions. The snapshots for the test version will stop and maintenance and security updates for Leap 15’s release will begin next month. Linux professionals and anyone looking to use Leap 15 are encouraged to test the beta versions as there is still snapshots being released and announced on the openSUSE Factory Mailing List. A list of items to test is available here.

The openSUSE project is pleased to announce that with Leap 15 Live images will again be available. Both KDE and GNOME can be tested without having to change your current system.

openSUSE Leap 15 shares a common core with SUSE Linux Enterprise (SLE) 15 sources and has thousands of community packages on top to meet the needs of professional and semi-professional users and their workloads.

TheKubic Project contributed a system role selection available with the release that offers two types of server roles; the classic server role and a Transactional Server role, which uses transactional updates and a Read-Only Root Filesystem. The release at the openSUSE Conference will give the openSUSE community and Free Open Source Software projects an opportunity to discuss plans for the openSUSE Leap 15 release, which will receive maintenance updates for at least three years.

The most recent snapshot was 20180403 and it included several updates for gstreamer 1.12.5 packages. Multiple bugs were fixed for gstreamer-editing-services, gstreamer-plugins-libav and gstreamer-validate. The gstreamer-rtsp-server package update to 1.12.5 had to drop the pkgconfig(libcgroup) because of a clash with systemd that causes bug reports. The Lightweight Directory Access Protocol, openldap2 version 2.4.46, fixed a Transport Layer Security connection timeout and removed obsolete back-port patches. The python-cryptography package update from version 2.1.4 to 2.2.1 and allows for the loading of Digital Signature Algorithm Keys with 224 bit q size. The snapshot is currently trending at 91 rating on the rating tool.

The 1.12.5 gstreamer package arrived in snapshot 20180402. The new gstreamer package, which constructs the graphs of media-handling components, fixes the handling of encoded silence, the tagging of keyframes on output buffers and updates the internal copy to ffmpeg 3.3.6. The Generic Graphics Library gegl 0.3.30 now has a build requirement of GIMP 2.10.0 and had some complex changes in the NEWS file.

Snapshot 20180401 added Application Programming Interface support for Microsoft’s .NET 4.7.1 with the update of the mono-core package to version 5.8.1, and snapshot 20180331 update Mozilla Firefox to version 59.0.2. The new version of Firefox fixed more than a handful of bugs, added a couple patches and Common Vulnerabilities and Exposures CVE-2018-5148.